# {{output.header}}
# {{{output.link}}}
smtpd_use_tls = yes

smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /path/to/signed_cert_plus_intermediates
smtpd_tls_key_file = /path/to/private_key
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3{{#unless (includes "TLSv1" output.protocols)}}, !TLSv1{{/unless}}{{#unless (includes "TLSv1.1" output.protocols)}}, !TLSv1.1{{/unless}}{{#unless (includes "TLSv1.2" output.protocols)}}, !TLSv1.2{{/unless}}
smtpd_tls_protocols = !SSLv2, !SSLv3{{#unless (includes "TLSv1" output.protocols)}}, !TLSv1{{/unless}}{{#unless (includes "TLSv1.1" output.protocols)}}, !TLSv1.1{{/unless}}{{#unless (includes "TLSv1.2" output.protocols)}}, !TLSv1.2{{/unless}}
{{#if output.ciphers.length}}
smtpd_tls_mandatory_ciphers = medium
{{/if}}
{{#if output.usesDhe}}

# {{output.dhCommand}} > /path/to/dhparam.pem
# not actually 1024 bits, this applies to all DHE >= 1024 bits
smtpd_tls_dh1024_param_file = /path/to/dhparam.pem
{{/if}}

{{#if output.ciphers.length}}
tls_medium_cipherlist = {{{join output.ciphers ":"}}}
{{/if}}
tls_preempt_cipherlist = {{#if output.serverPreferredOrder}}yes{{else}}no{{/if}}